Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal

[ -> hackers ]

Tom Lane writes:

> > Will you expect the function to do dequoting etc. as well?  This might get
> > out of hand.
>
> Hm.  We already have such code available for nextval(),

IMHO, nextval() isn't the greatest interface in the world.  I do like the
alternative (deprecated?) syntax sequence.nextval() because of the
notational resemblence to OO.  (We might even be able to turn this into
something like an SQL99 "class" feature.)

As I understand it, currently
   relation.function(a, b, c)

ends up as being a function call
   function(relation, a, b, c)

where the first argument is "text".  This is probably an unnecessary
fragility, since the oid of the relation should already be known by that
time.  So perhaps we could change this that the first argument gets passed
in an Oid.  Then we'd really only need the Oid version of Joe's
has_*_privilege functions.

-- 
Peter Eisentraut   peter_e@gmx.net   http://funkturm.homeip.net/~peter